clearTextPassword attribute

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Thu Oct 29 02:30:41 MDT 2009 

Hi Andrew,
Can you tell me which docs? Maybe I am wrong, but solving such problems by adding an exception to the schema consistency seems decrease stability. Today its a hack in ACL module, tomorrow a hack in another. What is the particular reason to do it this way?

Regards,
Nadya
----- Original Message -----
> From: Andrew Bartlett <abartlet at samba.org>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: mwallnoefer at yahoo.de <mwallnoefer at yahoo.de>, samba-technical at samba.org <samba-technical at samba.org>
> Sent: Wednesday, October 28, 2009 6:44:21 PM GMT+0200 Europe;Athens
> Subject: Re: clearTextPassword attribute

> > On Wed, 2009-10-28 at 18:09 +0200, Nadezhda Ivanova wrote:
> > Hi Matthias,
> > Unfortunately the similarity between clearTextPassword and 
> unicodePwd
> > does not help in this case, because we do not not care whatsoever
> > about syntax or function, only access rights granted. In 99% of the
> > cases we rely on the dfeaultSecurtyDescriptor or inherited ACEs to
> > determine access, and by default we may have rights given to 
> principal
> > self or administrator over unicodePwd, but never on 
> clearTextPassword.
> > I suppose I could, in acl module, handle clearTextPassword 
> explicitly
> > by checking for the rights of unicodePwd instead, but it will be an
> > ugly hack... And the whole idea of being allowed to use an attribute
> > that is not actually in the schema breaks a ground rule...
> 
> And a hack you should use.  I got the name clearTextPassword from
> Microsoft's own docs.  Just apply the same rights as unicodePwd to any
> update to userPassword, clearTextPassword, unicodePwd or dbcsPwd.  
> 
> In short, password handling is special, particularly once you get to
> password changes. 
> 
> I would expect this is actually a special right, but perhaps they just
> use unicodePwd. 
> 
> Andrew Bartlett
> -- 
> Andrew Bartlett                                
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.

More information about the samba-technical mailing list